{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4429", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-19T14:07:21.421Z", "datePublished": "2026-04-09T02:25:05.932Z", "dateUpdated": "2026-04-09T17:48:45.193Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T02:25:05.932Z"}, "affected": [{"vendor": "photoweblog", "product": "OSM \u2013 OpenStreetMap", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.1.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The OSM \u2013 OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65dffde9-2a50-41fe-bc21-3d0915068887?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm_map_v3/osm-sc-osm_map_v3.php#L560"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm_map_v3/osm-sc-osm_map_v3.php#L560"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm_map_v3/osm-sc-osm_map_v3.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm_map_v3/osm-sc-osm_map_v3.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm-icon-class.php#L347"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm-icon-class.php#L347"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm-icon-class.php#L356"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm-icon-class.php#L356"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3493950%40osm&new=3493950%40osm&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ngoc Duc"}], "timeline": [{"time": "2026-03-22T12:35:48.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T17:46:57.472010Z", "id": "CVE-2026-4429", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T17:48:45.193Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4429", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T17:46:57.472010Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T17:48:35.253Z"}}], "cna": {"title": "OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ngoc Duc"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "photoweblog", "product": "OSM \u2013 OpenStreetMap", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.1.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-22T12:35:48.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65dffde9-2a50-41fe-bc21-3d0915068887?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm_map_v3/osm-sc-osm_map_v3.php#L560"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm_map_v3/osm-sc-osm_map_v3.php#L560"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm_map_v3/osm-sc-osm_map_v3.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm_map_v3/osm-sc-osm_map_v3.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm-icon-class.php#L347"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm-icon-class.php#L347"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm-icon-class.php#L356"}, {"url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm-icon-class.php#L356"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3493950%40osm&new=3493950%40osm&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The OSM \u2013 OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T02:25:05.932Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4429", "state": "PUBLISHED", "dateUpdated": "2026-04-09T17:48:45.193Z", "dateReserved": "2026-03-19T14:07:21.421Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-09T02:25:05.932Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OSM \u2013 OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4429", "lastModified": "2026-04-24T18:03:42.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-09T04:17:14.640", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm-icon-class.php#L347"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm-icon-class.php#L356"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm_map_v3/osm-sc-osm_map_v3.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/osm/tags/6.1.15/osm_map_v3/osm-sc-osm_map_v3.php#L560"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm-icon-class.php#L347"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm-icon-class.php#L356"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm_map_v3/osm-sc-osm_map_v3.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/osm/trunk/osm_map_v3/osm-sc-osm_map_v3.php#L560"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3493950%40osm&new=3493950%40osm&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65dffde9-2a50-41fe-bc21-3d0915068887?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.1.15]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "OSM \u2013 OpenStreetMap", "source": "cna", "vendor": "photoweblog"}, "product": "osm_\u2013_openstreetmap", "vendor": "photoweblog"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-09T04:22:12.320434+00:00", "value": {"mitigation_remediation": ["Upgrade the OSM \u2013 OpenStreetMap plugin to the latest version (6.1.16 or newer).", "If an upgrade is not immediately possible, disable the [osm_map_v3] shortcode or remove the plugin until an updated version is available.", "Verify that only trusted users hold Contributor or higher roles and consider tightening role permissions.", "Run a site\u2011wide scan for evidence of injected scripts in existing posts or pages."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the OSM \u2013 OpenStreetMap plugin, versions up to and including 6.1.15. Sites that have installed this plugin and grant Contributor or higher privileges to users are vulnerable. The vulnerability is specific to the plugin's handling of the [osm_map_v3] shortcode.", "description_and_impact": "The OSM \u2013 OpenStreetMap plugin for WordPress contains a stored Cross\u2011Site Scripting flaw in the marker_name and file_color_list attributes of the [osm_map_v3] shortcode. Because the plugin fails to sanitize or escape these inputs, an authenticated user with Contributor level access or higher can insert arbitrary JavaScript that will run in the browsers of anyone who views a page containing the injected shortcode. This vulnerability permits attackers to execute client\u2011side code in the context of the site, enabling session hijacking, defacement, or the delivery of additional malicious payloads.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated Contributor or better, making the attack vector internal. Once a shortcode is injected, the stored payload remains until the content is edited or the plugin is updated. Because the threat relies on user privileges, sites that limit Contributor access or use the latest version are less exposed. Nonetheless, if an attacker compromises a contributor account, the risk is significant for the affected website."}}}}, "created": "2026-04-09T08:15:46.103694+00:00", "updated": "2026-04-09T08:25:12.782029+00:00", "vendors": ["photoweblog", "photoweblog$PRODUCT$osm_\u2013_openstreetmap", "wordpress", "wordpress$PRODUCT$wordpress"]}